The branch, master has been updated via 86b6353644d python:join: run domain adprep as part of join_provision_own_domain() via 4bba26579d1 python:provision: run adprep as part of provision via f6d9f3760f7 samba-tool: let 'domain provision' to use the 2019 schema by default via 90faa58e7fb samba-tool: let 'domain schemaupgrade' to use the 2019 schema by default via 245a8aaf41f samba-tool: let 'domain functionalprep' to use functional level 2016 by default via da74c3fde10 samba-tool: allow 'domain level raise' to support level 2016 via e855fe20681 python/samba: let get_domain_descriptor() include adprep 2016 ACEs via 1e024f6568e domain_update: implement updates 82-89 in order to reach the latest w2016 level via c8f8efb31e9 forest_update: behave more like a Windows 2022 server via c405f211760 setup/adprep: import the latest {Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md via c4b87dd50de setup/ad-schema: add the latest v1803 and v1903 schema files from Microsoft via dcce25ae8a7 python/samba: adapt ms_schema[_markdown].py to the latest schema definitions via b2fbfa0ff1c python/samba: adapt ms_forest_updates_markdown.py to the latest Forest-Wide-Updates.md via 17ce8beac3f python/samba: add support for LDB_CHANGETYPE_MODRDN to modify_ldif() via 167f0235865 lib/ldb: add LDB_CHANGETYPE_MODRDN support to ldb_ldif_to_pyobject() via 5011221996f python/samba: add support for LDB_CHANGETYPE_DELETE to modify_ldif() via 7055ec0a0b9 lib/ldb: add LDB_CHANGETYPE_DELETE support to ldb_ldif_to_pyobject() via 3ad3c1a69d0 python/samba: let modify_ldif() verify the changetype value via e24e7b96338 lib/ldb: re-order code in ldb_ldif_to_pyobject() via cc5df80152d lib/ldb: let ldb_ldif_parse_modrdn() handle names without 'rdn_name=' prefix via f860e19c846 domain_update: make use of self.sd_utils.update_aces_in_dacl() via a3dac8efe4b domain_update: remove useless searches to '(objectClass=samDomain)' via c87f2606ae3 domain_update: make use of '"CN"' in sddl instead of using an explicit SID via a10f4f7cd25 domain_update: be more verbose about updates via a8c0e82f928 forest_update: be more verbose about updates via 65275acf058 forest_update: make use of self.sd_utils.update_aces_in_dacl() via a89b158d3f1 forest_update: we don't need any controls to update sddl attributes via f1f79a2e4b1 forest_update: only update SDDL for schema objects via 838a36c743c forest_update: ignore ldb.ERR_ATTRIBUTE_OR_VALUE_EXISTS in operation_ldif() via 7fe87d3c8de functional_prep: fix error handling in order to stop on the first error via 65653bb02c2 schema_upgrade: add support for ntdsschemamodrdn and ntdsschemadelete via 65294d56bdf python/tests: use changetype: modify in order to delete a single attribute via c35ae5a77d5 s4:dsdb/tests: use changetype: modify in order to delete a single attribute via 01400b59803 blackbox/dbcheck: also run currently unused dbcheck_reset_well_known_acls via bb09c06d6d5 libcli/security: rewrite calculate_inherited_from_parent() via a0217c50e92 s4:dsdb/tests: add more detailed tests to sec_descriptor.py via 731c85add11 s4:dsdb/tests: allow sec_descriptor.py to run against Windows 2022 via 6de4849f9ca s4:dsdb/tests: convert sec_descriptor.py to use assert[Not]In() via 2436d621d19 s4:dsdb/tests: let AclUndeleteTests.test_undelete() remove the temporary ACE again via e0a8e043d33 s4:dsdb/tests: let OwnerGroupDescriptorTests() remove temporary ACEs on cleanup via 7b0d5285361 s4:dsdb/tests: let OwnerGroupDescriptorTests.test_141() set the required ACE explicitly from 7e3cbc2c641 s4:kdc: Fix typo
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 86b6353644dc9e32d250efffab13ebde7009477d Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 17 16:48:26 2023 +0100 python:join: run domain adprep as part of join_provision_own_domain() This is currently unused as we don't support more than one domain per forest, but it will help it future. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Mar 22 23:05:39 UTC 2023 on atb-devel-224 commit 4bba26579d124af6c0767bb98bee67357001e1e7 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 17 16:48:26 2023 +0100 python:provision: run adprep as part of provision With the default of base_schema=2019 we'll adprep to 2016. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f6d9f3760f7df8595a3882b3ad526326abbba1ca Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:05:01 2023 +0100 samba-tool: let 'domain provision' to use the 2019 schema by default Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 90faa58e7fb7cc7979f0e85bfcf9fc925879e8ce Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:05:01 2023 +0100 samba-tool: let 'domain schemaupgrade' to use the 2019 schema by default Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 245a8aaf41f652e2112dfa4b2c32613968656380 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:05:01 2023 +0100 samba-tool: let 'domain functionalprep' to use functional level 2016 by default Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit da74c3fde105789919f45088fba6a2731a98c35c Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:05:01 2023 +0100 samba-tool: allow 'domain level raise' to support level 2016 We don't support anything higher than 2008_R2 in Samba, but it's possible to run this against a remove server too. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e855fe206810e48181cb3431a80840bf618d5f16 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Mar 18 16:00:14 2023 +0100 python/samba: let get_domain_descriptor() include adprep 2016 ACEs We need to make sure a new provision as well as dbcheck --reset-well-known-acls include acls used by adprep 2016, otherwise we would undo the adprep result. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1e024f6568ec03f7361a941ba7f3d7fb5801a30e Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:15:55 2023 +0100 domain_update: implement updates 82-89 in order to reach the latest w2016 level I implemented them by looking at source4/setup/adprep/WindowsServerDocs/Domain-Wide-Updates.md.unused and looking at a network capture where a Windows 2022 joins an Windows 2008R2 domain. The strange thing is that Windows (tested with server 2022) uses c81fc9cc-0130-f4d1-b272-634d74818133 for update 83, while Domain-Wide-Updates.md and a fresh installation use c81fc9cc-0130-4fd1-b272-634d74818133. In order to match a fresh installation we use c81fc9cc-0130-4fd1-b272-634d74818133. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c8f8efb31e9fc7e9e66869811a78ae14ca127e00 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:13:09 2023 +0100 forest_update: behave more like a Windows 2022 server It means we apply updates from 11-142 and list all known updates. It turns out that update 53 is actually update 54... Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c405f2117608a6249494e1239faea711a9c756ca Author: Stefan Metzmacher <me...@samba.org> Date: Sat Feb 23 08:44:05 2019 +0100 setup/adprep: import the latest {Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md We have Domain-Wide-Updates.md and Read-Only-Domain-Controller-Updates.md only for completeness, they are not parsed/used yet, so we added .unused in order to avoid confusion in future. Initially I tried to go with an ms_domain_updates_markdown.py, but it is easier to add the current updates by hand to domain_update.py, which will follow in the next commits. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c4b87dd50deacca00dfe70df6ab5872e0cae34e8 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Feb 23 08:44:05 2019 +0100 setup/ad-schema: add the latest v1803 and v1903 schema files from Microsoft Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dcce25ae8a769fe5ea5df7ad0eaa27283b1b34cd Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:02:29 2023 +0100 python/samba: adapt ms_schema[_markdown].py to the latest schema definitions Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b2fbfa0ff1cdecc272d0e71d5ab73febc6af455e Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:02:04 2023 +0100 python/samba: adapt ms_forest_updates_markdown.py to the latest Forest-Wide-Updates.md Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 17ce8beac3fc05cd92a9cf6d3d9f179bb03a738b Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 13 15:03:39 2023 +0100 python/samba: add support for LDB_CHANGETYPE_MODRDN to modify_ldif() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 167f0235865e4bffcb140c3e636533aa230c4db7 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 13 14:58:29 2023 +0100 lib/ldb: add LDB_CHANGETYPE_MODRDN support to ldb_ldif_to_pyobject() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5011221996f34c0df0660b55537dfc1a5c7a951b Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 13 14:56:55 2023 +0100 python/samba: add support for LDB_CHANGETYPE_DELETE to modify_ldif() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7055ec0a0b9ac1bd443360b8b358894e0a79dc69 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 13 14:55:12 2023 +0100 lib/ldb: add LDB_CHANGETYPE_DELETE support to ldb_ldif_to_pyobject() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3ad3c1a69d01c4de87476824d84539b186b6b587 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 13 14:42:29 2023 +0100 python/samba: let modify_ldif() verify the changetype value DELETE and MODRDN are not really supported yet. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e24e7b96338e1d7bd157f89456a917465b658db7 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 13 14:35:20 2023 +0100 lib/ldb: re-order code in ldb_ldif_to_pyobject() We don't allow MODRDN and DELETE for now as they don't work as is anyway. We'll add these in the next steps. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cc5df80152d713dfa6652efc3c4fa3fa46b8faf8 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 14:56:39 2023 +0100 lib/ldb: let ldb_ldif_parse_modrdn() handle names without 'rdn_name=' prefix This is needed in order to process schema updates. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f860e19c8465608266161c2909fea8ad74aec874 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 13 12:32:10 2023 +0100 domain_update: make use of self.sd_utils.update_aces_in_dacl() There's only a single domainDNS object in a domain and it's the partition base object... Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a3dac8efe4b6c5b55c3dfde7ee40e45706455058 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 13 12:05:24 2023 +0100 domain_update: remove useless searches to '(objectClass=samDomain)' samDomain is an auxiliary class of domainDNS, so we'll handle them in the search for domainDNS anyway. In addition searches for auxiliary classes will never be found in searches. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c87f2606ae3a2dbca369b8b94d2255371a963226 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 13 11:57:14 2023 +0100 domain_update: make use of '"CN"' in sddl instead of using an explicit SID Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a10f4f7cd25c06b7d8573195150b3c4557743370 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:10:56 2023 +0100 domain_update: be more verbose about updates Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a8c0e82f9287d3dc4997cb9336dea4742687d8e7 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:10:33 2023 +0100 forest_update: be more verbose about updates Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 65275acf0588a366797f80b8668cdcacaa18e495 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 13 13:49:09 2023 +0100 forest_update: make use of self.sd_utils.update_aces_in_dacl() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a89b158d3f1cb65f979a762f25624850fd75e311 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 13 13:53:53 2023 +0100 forest_update: we don't need any controls to update sddl attributes Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f1f79a2e4b18e4e5a927557889572a9004f7ed32 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Mar 11 03:35:57 2023 +0100 forest_update: only update SDDL for schema objects Updates to domainDNS objects are done by the domain updates. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 838a36c743c7d0dff98e7ab7c9de6154221c7c9e Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:11:55 2023 +0100 forest_update: ignore ldb.ERR_ATTRIBUTE_OR_VALUE_EXISTS in operation_ldif() This matches what Windows is doing... Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7fe87d3c8decea40aa4b76fb4446b47f2aebeac9 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:05:59 2023 +0100 functional_prep: fix error handling in order to stop on the first error Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 65653bb02c269e132097452a5a82bf991b4b1ea8 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 15:03:14 2023 +0100 schema_upgrade: add support for ntdsschemamodrdn and ntdsschemadelete They are used in newer schema uprades from Microsoft. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 65294d56bdf82aa68ff9087810e593e245b3cb4d Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 17:07:20 2023 +0100 python/tests: use changetype: modify in order to delete a single attribute 'changetype: delete' is used to delete a whole object! Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c35ae5a77d5883383b5e26358222948dcb79b4d2 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 23 17:01:55 2023 +0100 s4:dsdb/tests: use changetype: modify in order to delete a single attribute 'changetype: delete' is used to delete a whole object! Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 01400b59803b4ff70178dfe9da17cfa0a006821b Author: Stefan Metzmacher <me...@samba.org> Date: Sat Mar 18 13:54:40 2023 +0100 blackbox/dbcheck: also run currently unused dbcheck_reset_well_known_acls This makes sure that we detect if dbcheck --reset-well-known-acls tries to reset to unexpected values, which we expect to currect in recent provisions. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit bb09c06d6d58a04e1d270a9f99d1179cfa9acbda Author: Stefan Metzmacher <me...@samba.org> Date: Sat Mar 18 01:17:04 2023 +0100 libcli/security: rewrite calculate_inherited_from_parent() This allows us to pass the new tests we just added. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a0217c50e920557046628bb171f2addea2ad7416 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 22 14:48:00 2023 +0100 s4:dsdb/tests: add more detailed tests to sec_descriptor.py These demonstrate how inherited aces are constructed and applies per objectclass, with and without the NO_PROPAGATE_INHERIT flag. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 731c85add116b8ab192d9a2d3bc56296635a226d Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 22 14:48:00 2023 +0100 s4:dsdb/tests: allow sec_descriptor.py to run against Windows 2022 We need SEC_STD_DELETE in order to run the test twice against the same server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6de4849f9cacbe7e08834fa340a70f7aebe9e6f9 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 22 14:48:00 2023 +0100 s4:dsdb/tests: convert sec_descriptor.py to use assert[Not]In() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2436d621d1940f127f164ca227a14b1d9b573eb5 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 20 13:02:47 2023 +0100 s4:dsdb/tests: let AclUndeleteTests.test_undelete() remove the temporary ACE again Otherwise we impact other unrelated tests, e.g. 'blackbox.dbcheck'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e0a8e043d339cf5e1c9b2643e6d151ab2ae81c05 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 20 12:04:37 2023 +0100 s4:dsdb/tests: let OwnerGroupDescriptorTests() remove temporary ACEs on cleanup Otherwise we impact other unrelated tests, e.g. 'blackbox.dbcheck'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7b0d5285361e6dc40e09bc0d36bb2aae5d5a86a7 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 20 12:04:37 2023 +0100 s4:dsdb/tests: let OwnerGroupDescriptorTests.test_141() set the required ACE explicitly All other tests use the same logic and run before, which means the ACE is already there and is implicitly required. As we want to cleanup the ACE after each test in the next step, as the tests should not have side effects for other tests, e.g. 'blackbox.dbcheck'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/ldb/common/ldb_ldif.c | 20 + lib/ldb/pyldb.c | 104 +- libcli/security/create_descriptor.c | 247 +- python/samba/__init__.py | 17 +- python/samba/descriptor.py | 7 + python/samba/domain_update.py | 382 +- python/samba/forest_update.py | 251 +- python/samba/join.py | 29 +- python/samba/ms_forest_updates_markdown.py | 41 +- python/samba/ms_schema.py | 11 +- python/samba/ms_schema_markdown.py | 4 + python/samba/netcmd/domain.py | 81 +- python/samba/provision/__init__.py | 71 +- python/samba/schema.py | 10 +- python/samba/tests/audit_log_dsdb.py | 4 +- python/samba/upgradehelpers.py | 5 +- source4/dsdb/tests/python/acl.py | 1 + source4/dsdb/tests/python/notification.py | 2 +- source4/dsdb/tests/python/sec_descriptor.py | 812 +- source4/scripting/bin/samba_upgradeprovision | 2 +- ...f => AD_DS_Attributes_Windows_Server_v1903.ldf} | 26350 ++++----- ... => AD_DS_Attributes__Windows_Server_v1803.ldf} | 26350 ++++----- ....ldf => AD_DS_Classes_Windows_Server_v1903.ldf} | 1254 +- ...ldf => AD_DS_Classes__Windows_Server_v1803.ldf} | 185 +- .../Domain-Wide-Updates.md.unused | 58 + .../WindowsServerDocs/Forest-Wide-Updates.md | 95 +- .../Read-Only-Domain-Controller-Updates.md.unused | 16 + .../setup/adprep/WindowsServerDocs/Sch49.ldf.diff | 13 +- .../setup/adprep/WindowsServerDocs/Sch50.ldf.diff | 16 +- .../setup/adprep/WindowsServerDocs/Sch51.ldf.diff | 30 +- .../setup/adprep/WindowsServerDocs/Sch57.ldf.diff | 16 +- .../setup/adprep/WindowsServerDocs/Sch59.ldf.diff | 12 +- .../adprep/WindowsServerDocs/Schema-Updates.md | 53142 +++++++++++++++++-- source4/setup/tests/blackbox_provision.sh | 30 +- testprogs/blackbox/dbcheck-oldrelease.sh | 8 +- testprogs/blackbox/dbcheck.sh | 9 +- testprogs/blackbox/functionalprep.sh | 23 +- testprogs/blackbox/schemaupgrade.sh | 2 +- 38 files changed, 77201 insertions(+), 32509 deletions(-) copy source4/setup/ad-schema/{AD_DS_Attributes__Windows_Server_2016.ldf => AD_DS_Attributes_Windows_Server_v1903.ldf} (96%) copy source4/setup/ad-schema/{AD_DS_Attributes__Windows_Server_2016.ldf => AD_DS_Attributes__Windows_Server_v1803.ldf} (96%) copy source4/setup/ad-schema/{AD_DS_Classes__Windows_Server_2016.ldf => AD_DS_Classes_Windows_Server_v1903.ldf} (81%) copy source4/setup/ad-schema/{AD_DS_Classes__Windows_Server_2016.ldf => AD_DS_Classes__Windows_Server_v1803.ldf} (94%) create mode 100644 source4/setup/adprep/WindowsServerDocs/Domain-Wide-Updates.md.unused create mode 100644 source4/setup/adprep/WindowsServerDocs/Read-Only-Domain-Controller-Updates.md.unused Changeset truncated at 500 lines: diff --git a/lib/ldb/common/ldb_ldif.c b/lib/ldb/common/ldb_ldif.c index 6f7589fef68..fc9a4fd0939 100644 --- a/lib/ldb/common/ldb_ldif.c +++ b/lib/ldb/common/ldb_ldif.c @@ -584,6 +584,7 @@ int ldb_ldif_parse_modrdn(struct ldb_context *ldb, struct ldb_dn **_newdn) { struct ldb_message *msg = ldif->msg; + struct ldb_val _newrdn_val = {}; struct ldb_val *newrdn_val = NULL; struct ldb_val *deleteoldrdn_val = NULL; struct ldb_val *newsuperior_val = NULL; @@ -667,6 +668,25 @@ int ldb_ldif_parse_modrdn(struct ldb_context *ldb, goto err_op; } + if (newrdn_val->length != 0 && strchr((const char *)newrdn_val->data, '=') == NULL) { + const char *rdn_name = ldb_dn_get_rdn_name(olddn); + char *new_rdn = NULL; + + new_rdn = talloc_asprintf(tmp_ctx, + "%s=%s", + rdn_name, + (const char *)newrdn_val->data); + if (new_rdn == NULL) { + ldb_debug(ldb, LDB_DEBUG_ERROR, + "Error: failed to allocate '%s=%s'", + rdn_name, (char *)newrdn_val->data); + goto err_op; + } + _newrdn_val.data = (uint8_t *)new_rdn; + _newrdn_val.length = strlen(new_rdn); + newrdn_val = &_newrdn_val; + } + newrdn = ldb_dn_from_ldb_val(tmp_ctx, ldb, newrdn_val); if (!ldb_dn_validate(newrdn)) { ldb_debug(ldb, LDB_DEBUG_ERROR, diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index da60572ff0f..b7bc3bf0e62 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -1709,20 +1709,97 @@ static PyObject *py_ldb_schema_attribute_add(PyLdbObject *self, PyObject *args) Py_RETURN_NONE; } -static PyObject *ldb_ldif_to_pyobject(struct ldb_ldif *ldif) +static PyObject *ldb_ldif_to_pyobject(struct ldb_context *ldb, struct ldb_ldif *ldif) { + PyObject *obj = NULL; + PyObject *result = NULL; + if (ldif == NULL) { Py_RETURN_NONE; - } else { - /* We don't want this attached to the 'ldb' any more */ - PyObject *obj = PyLdbMessage_FromMessage(ldif->msg); - PyObject *result = - Py_BuildValue(discard_const_p(char, "(iO)"), - ldif->changetype, - obj); - Py_CLEAR(obj); - return result; } + + switch (ldif->changetype) { + case LDB_CHANGETYPE_NONE: + case LDB_CHANGETYPE_ADD: + obj = PyLdbMessage_FromMessage(ldif->msg); + break; + case LDB_CHANGETYPE_MODIFY: + obj = PyLdbMessage_FromMessage(ldif->msg); + break; + case LDB_CHANGETYPE_DELETE: + if (ldif->msg->num_elements != 0) { + PyErr_Format(PyExc_ValueError, + "CHANGETYPE(DELETE) with num_elements=%u", + ldif->msg->num_elements); + return NULL; + } + obj = pyldb_Dn_FromDn(ldif->msg->dn); + break; + case LDB_CHANGETYPE_MODRDN: { + struct ldb_dn *olddn = NULL; + PyObject *olddn_obj = NULL; + bool deleteoldrdn = false; + PyObject *deleteoldrdn_obj = NULL; + struct ldb_dn *newdn = NULL; + PyObject *newdn_obj = NULL; + int ret; + + ret = ldb_ldif_parse_modrdn(ldb, + ldif, + ldif, + &olddn, + NULL, + &deleteoldrdn, + NULL, + &newdn); + if (ret != LDB_SUCCESS) { + PyErr_Format(PyExc_ValueError, + "ldb_ldif_parse_modrdn() failed"); + return NULL; + } + + olddn_obj = pyldb_Dn_FromDn(olddn); + if (olddn_obj == NULL) { + return NULL; + } + if (deleteoldrdn) { + deleteoldrdn_obj = Py_True; + } else { + deleteoldrdn_obj = Py_False; + } + newdn_obj = pyldb_Dn_FromDn(newdn); + if (olddn_obj == NULL) { + deleteoldrdn_obj = NULL; + Py_CLEAR(olddn_obj); + return NULL; + } + + obj = Py_BuildValue(discard_const_p(char, "{s:O,s:O,s:O}"), + "olddn", olddn_obj, + "deleteoldrdn", deleteoldrdn_obj, + "newdn", newdn_obj); + Py_CLEAR(olddn_obj); + deleteoldrdn_obj = NULL; + Py_CLEAR(newdn_obj); + } + break; + default: + PyErr_Format(PyExc_NotImplementedError, + "Unsupported LDB_CHANGETYPE(%u)", + ldif->changetype); + return NULL; + } + + if (obj == NULL) { + return NULL; + } + + /* We don't want this being attached * to the 'ldb' any more */ + result = Py_BuildValue(discard_const_p(char, "(iO)"), + ldif->changetype, + obj); + Py_CLEAR(obj); + return result; } @@ -1784,10 +1861,12 @@ static PyObject *py_ldb_parse_ldif(PyLdbObject *self, PyObject *args) talloc_steal(mem_ctx, ldif); if (ldif) { int res = 0; - PyObject *py_ldif = ldb_ldif_to_pyobject(ldif); + PyObject *py_ldif = ldb_ldif_to_pyobject(self->ldb_ctx, ldif); if (py_ldif == NULL) { Py_CLEAR(list); - PyErr_BadArgument(); + if (PyErr_Occurred() == NULL) { + PyErr_BadArgument(); + } talloc_free(mem_ctx); return NULL; } @@ -4427,6 +4506,7 @@ static PyObject* module_init(void) ADD_LDB_INT(CHANGETYPE_ADD); ADD_LDB_INT(CHANGETYPE_DELETE); ADD_LDB_INT(CHANGETYPE_MODIFY); + ADD_LDB_INT(CHANGETYPE_MODRDN); ADD_LDB_INT(FLAG_MOD_ADD); ADD_LDB_INT(FLAG_MOD_REPLACE); diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c index 5a2351511ce..ccb32593ecb 100644 --- a/libcli/security/create_descriptor.c +++ b/libcli/security/create_descriptor.c @@ -79,7 +79,7 @@ uint32_t map_generic_rights_ds(uint32_t access_mask) /* Not sure what this has to be, * and it does not seem to have any influence */ -static bool object_in_list(struct GUID *object_list, struct GUID *object) +static bool object_in_list(const struct GUID *object_list, const struct GUID *object) { size_t i; @@ -108,7 +108,7 @@ static bool object_in_list(struct GUID *object_list, struct GUID *object) /* returns true if the ACE gontains generic information * that needs to be processed additionally */ -static bool desc_ace_has_generic(struct security_ace *ace) +static bool desc_ace_has_generic(const struct security_ace *ace) { if (ace->access_mask & SEC_GENERIC_ALL || ace->access_mask & SEC_GENERIC_READ || ace->access_mask & SEC_GENERIC_WRITE || ace->access_mask & SEC_GENERIC_EXECUTE) { @@ -156,12 +156,114 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, } for (i=0; i < acl->num_aces; i++) { - struct security_ace *ace = &acl->aces[i]; - if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) || - (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { - struct GUID inherited_object = GUID_zero(); + const struct security_ace *ace = &acl->aces[i]; + const struct GUID *inherited_object = NULL; + const struct GUID *inherited_property = NULL; + struct security_ace *tmp_ace = NULL; + bool applies = false; + bool inherited_only = false; + bool expand_ace = false; + bool expand_only = false; + + if (is_container && (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) { + applies = true; + } else if (!is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { + applies = true; + } + + if (!applies) { + /* + * If the ace doesn't apply to the + * current node, we should only keep + * it as SEC_ACE_FLAG_OBJECT_INHERIT + * on a container. We'll add + * SEC_ACE_FLAG_INHERITED_ACE + * and SEC_ACE_FLAG_INHERIT_ONLY below. + * + * Otherwise we should completely ignore it. + */ + if (!(ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { + continue; + } + } + + switch (ace->type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED: + case SEC_ACE_TYPE_ACCESS_DENIED: + case SEC_ACE_TYPE_SYSTEM_AUDIT: + case SEC_ACE_TYPE_SYSTEM_ALARM: + case SEC_ACE_TYPE_ALLOWED_COMPOUND: + break; + + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) { + inherited_property = &ace->object.object.type.type; + } + if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { + inherited_object = &ace->object.object.inherited_type.inherited_type; + } + + if (inherited_object != NULL && !object_in_list(object_list, inherited_object)) { + /* + * An explicit object class schemaId is given, + * but doesn't belong to the current object. + */ + applies = false; + } - tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, + break; + } + + if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { + if (!applies) { + /* + * If the ACE doesn't apply to + * the current object, we should + * ignore it as it should not be + * inherited any further + */ + continue; + } + /* + * We should only keep the expanded version + * of the ACE on the current object. + */ + expand_ace = true; + expand_only = true; + } else if (applies) { + /* + * We check if should also add + * the expanded version of the ACE + * in addition, in case we should + * expand generic access bits or + * special sids. + * + * In that case we need to + * keep the original ACE with + * SEC_ACE_FLAG_INHERIT_ONLY. + */ + expand_ace = desc_ace_has_generic(ace); + if (expand_ace) { + inherited_only = true; + } + } else { + /* + * If the ACE doesn't apply + * to the current object, + * we need to keep it with + * SEC_ACE_FLAG_INHERIT_ONLY + * in order to apply them to + * grandchildren + */ + inherited_only = true; + } + + if (expand_ace) { + tmp_acl->aces = talloc_realloc(tmp_acl, + tmp_acl->aces, struct security_ace, tmp_acl->num_aces+1); if (tmp_acl->aces == NULL) { @@ -169,61 +271,96 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, return NULL; } - tmp_acl->aces[tmp_acl->num_aces] = *ace; - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE; - /* remove IO flag from the child's ace */ - if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY && - !desc_ace_has_generic(ace)) { - tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY; - } + tmp_ace = &tmp_acl->aces[tmp_acl->num_aces]; + tmp_acl->num_aces++; - if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; - - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED: - case SEC_ACE_TYPE_ACCESS_DENIED: - case SEC_ACE_TYPE_SYSTEM_AUDIT: - case SEC_ACE_TYPE_SYSTEM_ALARM: - case SEC_ACE_TYPE_ALLOWED_COMPOUND: - break; - - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: - case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: - if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { - inherited_object = ace->object.object.inherited_type.inherited_type; - } + *tmp_ace = *ace; + + /* + * Expand generic access bits as well as special + * sids. + */ + desc_expand_generic(tmp_ace, owner, group); + + /* + * Expanded ACEs are marked as inherited, + * but never inherited any further to + * grandchildren. + */ + tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE; + tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT; + + /* + * Expanded ACEs never have an explicit + * object class schemaId, so clear it + * if present. + */ + if (inherited_object != NULL) { + tmp_ace->object.object.flags &= ~SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT; + } - if (!object_in_list(object_list, &inherited_object)) { - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; + /* + * If the ACE had an explicit object class + * schemaId, but no attribute/propertySet + * we need to downgrate the _OBJECT variants + * to the normal ones. + */ + if (inherited_property == NULL) { + switch (tmp_ace->type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED: + case SEC_ACE_TYPE_ACCESS_DENIED: + case SEC_ACE_TYPE_SYSTEM_AUDIT: + case SEC_ACE_TYPE_SYSTEM_ALARM: + case SEC_ACE_TYPE_ALLOWED_COMPOUND: + break; + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED; + break; + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_ACCESS_DENIED; + break; + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_SYSTEM_ALARM; + break; + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_SYSTEM_AUDIT; + break; } - - break; } - tmp_acl->num_aces++; - if (is_container) { - if (!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) && - (desc_ace_has_generic(ace))) { - tmp_acl->aces = talloc_realloc(tmp_acl, - tmp_acl->aces, - struct security_ace, - tmp_acl->num_aces+1); - if (tmp_acl->aces == NULL) { - talloc_free(tmp_ctx); - return NULL; - } - tmp_acl->aces[tmp_acl->num_aces] = *ace; - desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces], - owner, - group); - tmp_acl->aces[tmp_acl->num_aces].flags = SEC_ACE_FLAG_INHERITED_ACE; - tmp_acl->num_aces++; - } + if (expand_only) { + continue; } } + + tmp_acl->aces = talloc_realloc(tmp_acl, + tmp_acl->aces, + struct security_ace, + tmp_acl->num_aces+1); + if (tmp_acl->aces == NULL) { + talloc_free(tmp_ctx); + return NULL; + } + + tmp_ace = &tmp_acl->aces[tmp_acl->num_aces]; + tmp_acl->num_aces++; + + *tmp_ace = *ace; + tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE; + + if (inherited_only) { + tmp_ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY; + } else { + tmp_ace->flags &= ~SEC_ACE_FLAG_INHERIT_ONLY; + } + + if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { + tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT; + } } if (tmp_acl->num_aces == 0) { return NULL; diff --git a/python/samba/__init__.py b/python/samba/__init__.py index 54c67fed233..c4ddf18da60 100644 --- a/python/samba/__init__.py +++ b/python/samba/__init__.py @@ -235,10 +235,25 @@ class Ldb(_Ldb): :param ldif: LDIF text. """ for changetype, msg in self.parse_ldif(ldif): + if changetype == ldb.CHANGETYPE_NONE: + changetype = ldb.CHANGETYPE_MODIFY + if changetype == ldb.CHANGETYPE_ADD: self.add(msg, controls) - else: + elif changetype == ldb.CHANGETYPE_MODIFY: self.modify(msg, controls) + elif changetype == ldb.CHANGETYPE_DELETE: + deldn = msg + self.delete(deldn, controls) + elif changetype == ldb.CHANGETYPE_MODRDN: + olddn = msg["olddn"] + deleteoldrdn = msg["deleteoldrdn"] + newdn = msg["newdn"] + if deleteoldrdn is False: + raise ValueError("Invalid ldb.CHANGETYPE_MODRDN with deleteoldrdn=False") + self.rename(olddn, newdn, controls) + else: + raise ValueError("Invalid ldb.CHANGETYPE_%u: %s" % (changetype, msg)) def substitute_var(text, values): diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py index e2d1e38ccf9..5b911685db8 100644 --- a/python/samba/descriptor.py +++ b/python/samba/descriptor.py @@ -201,6 +201,13 @@ def get_domain_descriptor(domain_sid, name_map=None): "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \ "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ + "(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)" \ -- Samba Shared Repository